DNSSEC for recursive server

Techi techi at tellas.gr
Fri May 21 06:54:01 UTC 2010

I try to setup (=prepare) the our DNS servers for the DNSSEC era.
I have a Centos 5.x with Bind 9.3.6-4. I have one problem and 2 questions.
The problem is that the specific version seems to lack support for DNSSEC 
validation! named-checkconf returns the following error:
/etc/named.conf:212: unknown option 'dnssec-validation'

Now the questions:
1. I try to understand the concepts of DNSSEC and the signing of root zones. 
As far as I understand, all I need to add in my bind's configuration are the 
following lines:
        dnssec-enable yes;
        dnssec-validation yes;
Is that correct?

If not so, then what DLV should I use? That if ISC, IANA's, RIPE, what? And 

2. At another server (opensuse with bind 9.6) I modified the named.conf files 
are above and then performed the query: dig +multiline +cd +dnssec dlv.isc.org 
dnskey @localhost

The answer was:
; <<>> DiG 9.6.1-P3 <<>> +multiline +cd +dnssec dlv.isc.org dnskey @localhost
;; global options: +cmd                                                      
;; Got answer:                                                               
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16333                    
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1      

; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:                    
;dlv.isc.org.           IN DNSKEY     
So, the specific server is DNSSEC aware and I will not face any issues with the 
root zones signing at 01/07/2010. Correct?

Thank you.

More information about the bind-users mailing list